Is it possible to make encfs mount point unwritable when not mounted?

Question

I am using encfs and I've been quite happy with it so far, but I have one issue that can be somewhat annoying.

Say my favourite mount point is ~/encfsmnt. My problem is that if my encfs isn't mounted yet that is non-obvious. I may wind up happily writing into the directory ~/encfsmnt, instead of the data being encrypted by encfs into the encfs lower directory.

The obvious way to fix this would be to set the file mode of ~/encfsmnt to, say, 400 (dr--------), but apparently encfs requires that the mount point directory be writable for the mount to be successful (I get a "fusermount: user has no write access to mountpoint" error message).

Is there any way to make my mount point unwritable unless encfs is actually mounted to it?

Answer 1

I am afraid either it is writable or not. In order to make it writable for a certain process (fusermount) only you probably need an LSM (Apparmor, SELinux or similar). This requires root access, of course.

The easier solution might be to integrate chmod u+w ~/encfsmnt into the fusermount call (if you don't have a GUI do that for you). Create a small script which does that after calling fusermount (and deletes write access after umount).

Or change the mountpoint: Make ~/encfsmnt.mp the mountpoint (if that is possible, otherwise get used to write to a different target). Within the mounted ~/encfsmnt.mp you create a directory where all your (new) stuff goes to: ~/encfsmnt.mp/new You create the same directory in the unmounted ~/encfsmnt.mp. But you write protect that one.

Then you make ~/encfsmnt a symlink to ~/encfsmnt.mp/new. If unmounted, the directory is write protected, if mounted it is writable. This doesn't work, of course, if you cd into that directory.

Hmm, interesting idea: Does fusermount work if ~/encfsmnt has write right but no execute right?